What are the requirements for a digital product passport?

A compliant digital product passport under the ESPR regulation must include: (1) a unique product identifier registered in the EU DPP Registry, (2) a physical data carrier (QR code, RFID, or NFC tag) meeting ISO/IEC standards, (3) all mandatory data fields specified in the applicable delegated act, including product identity, material composition, performance data, and end-of-life information, (4) three-tier access control distinguishing consumer, economic operator, and market surveillance authority data, (5) machine-readable data accessible via standardised APIs, and (6) data maintained for the product's entire useful life plus a post-end-of-life period defined in the delegated act.

What data must a DPP contain?

DPP data requirements have five core layers: product identity and traceability (unique identifier, manufacturer details, model and serial/batch number, Declaration of Conformity reference); material composition (materials by weight percentage, REACH substances of concern, recycled content); performance and sustainability data (carbon footprint, energy efficiency class, durability and repairability scores, recyclability rate); repair and end-of-life information (spare parts availability, repair manuals, disassembly instructions, recycling classification); and compliance documentation (CE marking, third-party certificates, notified body references). Exact fields are specified per product category in each delegated act.

Who is responsible for creating a digital product passport?

The primary responsibility for creating a DPP rests with the manufacturer if they are established in the EU, or with the importer if the manufacturer is outside the EU and has not created a compliant DPP. Distributors are not required to create DPPs but must verify that a compliant DPP exists before placing products on the market and must not remove or obscure data carriers. If an importer creates the DPP in place of a non-EU manufacturer, they assume the full range of manufacturer obligations including data maintenance and registry registration.

What are the technical standards for a DPP?

The ESPR framework specifies technical standards across three areas. For data carriers: QR codes must comply with ISO/IEC 18004; RFID tags with ISO/IEC 18000-63; NFC with ISO/IEC 14443 or 15693; and GS1 Digital Link (version 1.3) is the recommended encoding standard for URL-based identifier resolution. For data formats: JSON-LD for structured data exchange; EPCIS 2.0 (ISO/IEC 19987) for supply chain event data; and W3C Verifiable Credentials for tamper-evident data. For API access: REST APIs with open, standardised interfaces; data must remain accessible for the product's full useful life plus the post-end-of-life period. Data must be hosted in the EU or in jurisdictions with EU data protection adequacy.

Is a digital product passport mandatory?

Yes, for product categories covered by ESPR delegated acts. The obligation becomes mandatory on the compliance date specified in each delegated act — not when a company is ready, but on the date set by the Commission. The first hard statutory deadline is February 18, 2027, for batteries (under EU Regulation 2023/1542). Delegated acts for textiles and electronics are expected in 2025-2026 with compliance deadlines 18-36 months after publication. Products placed on the EU market after the applicable compliance date without a compliant DPP cannot legally be sold in the EU, regardless of company size (though micro-enterprises may receive simplified requirements in some categories).

How long must a DPP remain accessible?

A DPP must remain accessible throughout the product's entire useful life and for a defined period after end-of-life. The exact post-end-of-life period is specified in each product category's delegated act — for batteries, the expectation is a minimum of 10 years beyond the battery's end of life. Operators must ensure data continuity even if they cease trading or change DPP platforms. This means data hosting and access obligations must be planned for the multi-decade product lifetime, not just for the sales and warranty period.

Do DPP requirements apply to products manufactured outside the EU?

Yes. The ESPR regulation applies to products placed on the EU market regardless of where they are manufactured. If a product manufactured outside the EU enters the EU market through an importer, the importer bears full DPP compliance responsibility if the manufacturer has not created a compliant DPP. EU importers sourcing from non-EU suppliers should include DPP compliance requirements in supplier contracts and conduct pre-shipment DPP verification for product categories under active delegated acts. Non-compliant products cannot legally be placed on the EU market — there is no grace period for imports.

What happens if a DPP is not compliant?

Products without a compliant DPP cannot be legally placed on the EU market under ESPR once the applicable delegated act's compliance date has passed. Market surveillance authorities — operating at national level and coordinating at EU level — have powers to require withdrawal, recall, or market prohibition of non-compliant products. The ESPR regulation enables member states to impose proportionate penalties, which are expected to include significant fines for systematic non-compliance. For importers and distributors, liability also extends to products they have made available on the market that lack compliant DPPs. Customs authorities are expected to use the EU DPP Registry to verify compliance at point of import.

DPP Requirements Checklist — 8 Core ESPR Compliance Areas

The 8 Core Digital Product Passport Requirements Under ESPR

Before working through each area in detail, here is what the regulation actually demands. Every DPP placed on the EU market under the ESPR framework must satisfy all eight of the following:

Product identity and unique identifier — a persistent, resolvable ID linked to a physical data carrier (QR code, RFID, or NFC)
Data completeness — all mandatory fields defined in the applicable delegated act populated with verified information
Technical data carrier compliance — carrier must meet ISO/IEC standards, remain legible throughout product life, and comply with GS1 Digital Link or equivalent
DPP Registry registration — unique identifier registered in the EU DPP Registry before market placement
Access control implementation — three-tier access model (consumer, economic operator, market surveillance authority) correctly configured
API availability — data must be machine-readable and accessible via standardised APIs for the product's entire useful life plus post-end-of-life period
Operator obligation mapping — clear chain of responsibility established between manufacturer, importer, and distributor
Update and data quality obligations — processes in place to maintain data accuracy and update records when product information changes

The eight requirements above are not a checklist you work through once at launch. They represent ongoing obligations for as long as your product remains on the EU market. Understanding what a digital product passport is at a structural level is the starting point; this guide covers what implementing one in compliance with the regulation actually requires.

DPP Data Requirements: What Must Be in the Passport

The ESPR regulation defines a mandatory data architecture. Product-specific delegated acts then layer on additional fields for their category. The core data structure has five layers, each with its own verification and update obligations.

Layer 1: Product Identity and Traceability

This is the foundation of every DPP. Without a valid, persistent identifier that resolves to a live data endpoint, nothing else in the passport is legally accessible or technically verifiable. The identity layer must include:

DPP Product Identity — Mandatory Data Fields
Data Field	Format / Standard	Verification Requirement
Unique Product Identifier (UPI)	GS1 Digital Link, QR-encoded URL, or equivalent	Registered in EU DPP Registry pre-placement
Manufacturer name and registered address	Legal entity name, EU EORI number where applicable	Self-declaration with DoC reference
Product model / type identifier	Manufacturer's part number or GTIN	Self-declaration
Batch / serial number	Granularity level defined in delegated act (unit, batch, or model)	Self-declaration
Country of manufacture	ISO 3166-1 alpha-2 country code	Self-declaration
Date of production	ISO 8601 (YYYY-MM-DD or YYYY-MM)	Self-declaration
Declaration of Conformity (DoC) reference	Document number and date	Linked to full DoC document in DPP

The GS1 Digital Link standard is the recommended identifier scheme under ESPR because it encodes a URL directly into a barcode or QR code. This means a single scan can resolve to different data layers depending on the actor's permissions — the same physical QR code routes a consumer to sustainability information and a recycler to material composition data, without needing separate codes or manual look-ups.

Layer 2: Material Composition and Substance Data

This is the layer most manufacturers underestimate at the start of their DPP implementation. Full material composition disclosure requires data from sub-tier suppliers that many companies do not currently collect systematically.

Required disclosures include:

Material composition by weight percentage — including primary materials, coatings, and surface treatments
Substances of Very High Concern (SVHCs) listed under REACH — disclosure required at concentrations above 0.1% by weight
Hazardous substances restricted under applicable product legislation
Recycled content percentage — separately for pre-consumer and post-consumer recycled material, where applicable
Critical raw material sourcing declarations (mandatory for batteries under EU Regulation 2023/1542 for cobalt, lithium, nickel, and natural graphite; expected to extend to electronics and other categories)
Material origin — geographic provenance for flagged materials in applicable delegated acts

One practical challenge: REACH currently lists over 240 SVHCs, and the list is updated twice annually. A DPP implementation that treats SVHC disclosure as a one-time data entry will be non-compliant within months of launch. Update processes must connect to live regulatory substance databases.

Layer 3: Performance, Durability, and Sustainability Data

Performance data requirements vary significantly by product category, but the ESPR framework defines a common set of parameters that delegated acts draw from:

DPP Performance Data Requirements by Parameter Type
Parameter	Data Required	Third-Party Verification?
Carbon footprint	Lifecycle carbon (kg CO2e), methodology used, assessment boundary	Required for high-value categories; expected to extend
Energy efficiency class	EU energy label class (A–G) or product-specific scale	Based on standardised test; may require notified body
Durability / expected lifetime	Rated lifetime in years or cycles; test conditions	Test report reference required
Repairability score	Numeric score and methodology (where mandated by delegated act)	Self-declaration with supporting evidence
Recyclability rate	Percentage by weight recyclable; methodology	Third-party for complex products
Recycled content	Percentage by weight; material type	Supply chain verification documentation
Battery state-of-health	Current charge capacity; rated capacity; degradation data	Updatable in-use; real-time for EV batteries

For batteries specifically — the product category with the hardest compliance deadline of February 2027 — the EU battery passport requirements add state-of-health monitoring, rated capacity, and battery lifetime data that must be updated dynamically as the battery ages. This fundamentally changes the DPP from a static document to a live data record.

Layer 4: Repair, Maintenance, and End-of-Life Information

The circular economy data layer is where many DPP implementations stall because it requires collaboration with aftersales, spare parts, and logistics teams who have historically managed this information in isolation from product compliance:

Availability of spare parts — parts list with expected availability period
Repair manuals — links to current, format-accessible versions
Authorised repair centres — directory or search function
Disassembly instructions for recyclers — step-by-step at component level
Recyclability classification by component — identifies which materials require specialist handling
Hazardous component locations — for safe disassembly at end-of-life
Take-back scheme information — collection points, return logistics
Software update availability period — for products with embedded software

Layer 5: Certification, Compliance, and Documentation

The compliance layer links the DPP to the legal documentation that backs the product's market authorisation:

CE marking reference and applicable directives / regulations
Full Declaration of Conformity — either embedded or linked
Third-party audit certificates and their validity periods
Notified body information (where applicable)
Standards applied in product testing (EN/ISO references)
EU type-examination certificate references (for regulated categories)

Technical Standards and Data Carrier Requirements

Technical compliance is the area where implementation projects most frequently run into unforeseen scope. The regulation prescribes specific standards for how DPP data must be structured, stored, and accessed — not just what data must be present.

Data Carrier Standards

The physical link between the product and its digital record must meet the following:

DPP Data Carrier Technical Requirements
Carrier Type	Standard	Primary Use Case	Key Requirement
QR Code	ISO/IEC 18004	Consumer products, textiles, packaging	Must remain legible throughout product lifetime; minimum print size per application guidelines
GS1 QR Code (Digital Link)	GS1 Digital Link 1.3 / ISO/IEC 18004	Retail, FMCG, consumer goods	URL-encoded identifier resolving to DPP endpoint
RFID (UHF)	ISO/IEC 18000-63 (EPC Gen2)	Textiles, logistics, high-value goods	EPC code linked to DPP; reader-accessible without line-of-sight
NFC Tag	ISO/IEC 14443 / ISO/IEC 15693	Electronics, appliances, industrial equipment	NDEF record containing DPP URL; tamper evidence for high-value items
Data Matrix	ISO/IEC 16022	Small components, medical devices, electronics	Permitted where QR code size is impractical

One requirement that catches manufacturers by surprise: the data carrier must remain functional and legible for the product's entire useful life, not just at point of sale. For a product with a 10-year rated lifetime, a QR code printed on a sticker that degrades after three years fails the technical standard even if the underlying data is compliant. Carrier selection needs input from product engineering, not just compliance teams.

API and Data Format Requirements

The ESPR framework specifies that DPP data must be machine-readable and accessible via open, standardised APIs. Current expectations based on the CIRPASS project — the EU's pilot DPP implementation initiative — point toward:

REST APIs — JSON-LD as the preferred data exchange format, enabling semantic interoperability across supply chains
Linked Data standards — alignment with the W3C Verifiable Credentials specification for trustworthy, tamper-evident data exchange
EPCIS 2.0 (ISO/IEC 19987) — for supply chain event traceability and batch-level tracking
OpenAPI specification — for published API interfaces enabling third-party integration by recyclers, auditors, and market surveillance bodies
Data Spaces interoperability — alignment with the EU Data Spaces framework, particularly GAIA-X and the upcoming product data space architecture

Data Storage and Hosting Requirements

Data hosting must satisfy three conditions simultaneously: jurisdiction compliance, availability duration, and access performance. The ESPR framework requires:

Hosting within the EU or in jurisdictions with EU-equivalent data protection (GDPR adequacy decisions)
Availability throughout the product's entire useful life plus a defined post-end-of-life period (the specific duration is set per product category in delegated acts)
Uptime commitments that support market surveillance access without unreasonable delay
Data continuity obligations — if the operator ceases operations, the data must remain accessible via an alternative mechanism

For manufacturers without existing cloud infrastructure, building compliant data hosting from scratch is a significant investment. Purpose-built platforms handle jurisdiction, availability, and continuity requirements as part of their service architecture — the DPP generation tool overview covers how these technical obligations translate into managed service capabilities.

Operator Obligations: Who Is Responsible for What

One of the most misunderstood aspects of ESPR compliance is the chain of responsibility for DPP creation and maintenance. The regulation does not simply place all obligations on the product manufacturer. It distributes responsibilities across the supply chain based on each actor's role in placing the product on the EU market.

Manufacturer Obligations

The manufacturer is the primary responsible party when they are established in the EU or when they are the entity placing the product on the EU market. Manufacturer obligations include:

Creating the DPP before the product is placed on the market
Populating all mandatory data fields as defined in the applicable delegated act
Registering the unique identifier in the EU DPP Registry
Ensuring the data carrier is affixed to the product (or its packaging, or accompanying documentation, depending on product type)
Maintaining data accuracy throughout the product's market life
Updating the DPP when product information changes (material composition changes, substance list updates, spare part availability changes)
Ensuring third-party verifications are obtained where mandated by the delegated act
Providing the DPP to importers and distributors upon request

Importer Obligations

An importer is an EU-established entity that places a product from a non-EU manufacturer on the EU market. If the manufacturer has not created a compliant DPP, the importer assumes effective manufacturer status for DPP purposes:

Verify that the DPP exists and is compliant before placing the product on the market
If no compliant DPP exists, create one — with all the same obligations as a manufacturer
Maintain a copy of the DPP and make it available to market surveillance authorities for 10 years after market placement
Ensure the product carries the data carrier before any distribution to other parties
Pass DPP access credentials to distributors and downstream operators

This obligation has major implications for EU importers sourcing from Asia. If a Chinese supplier delivers a product without a compliant DPP — or with a DPP that fails EU technical standards — the EU importer bears full compliance responsibility. The practical response is to include DPP compliance requirements in supplier contracts and to conduct pre-shipment DPP audits for product categories already under active delegated acts.

Distributor Obligations

Distributors — including online marketplaces — carry lighter but still significant obligations:

Verify that a compliant DPP exists and that the data carrier is present on the product before making it available on the market
Not remove, modify, or obscure the data carrier
Cooperate with market surveillance authorities and provide access to DPP records upon request
If they become aware of a DPP compliance issue, notify the manufacturer or importer and, where the product presents a risk, notify competent authorities

DPP Operator Obligations Summary
Obligation	Manufacturer	Importer	Distributor
Create DPP	Yes — primary responsibility	Yes, if manufacturer has not	No
Register UPI in EU Registry	Yes	Yes, if acting as manufacturer	No
Verify DPP compliance before market placement	N/A (creates DPP)	Yes — pre-placement verification	Yes — pre-distribution check
Maintain DPP records (10 years post-placement)	Yes	Yes	No (unless acting as importer)
Update DPP when data changes	Yes	Yes, for DPPs they created	No
Provide DPP to authorities on request	Yes	Yes	Yes — within their supply chain role

Access Control Levels: The Three-Tier Permission Model

The ESPR regulation distinguishes between three categories of data within a DPP, each accessible to a different set of actors. Implementing this access control correctly is both a technical requirement and a strategic consideration — some commercially sensitive data that must be in the DPP is appropriately restricted to authorised economic operators or market surveillance authorities, not published to general consumers.

Tier 1: Public Consumer Access

Accessible to anyone scanning the data carrier without authentication. Typically includes:

Product model, manufacturer name, and country of origin
Key sustainability parameters (energy efficiency class, recycled content percentage, repairability score)
Carbon footprint summary data
Repair and maintenance information — spare parts availability, repair centre locations
End-of-life instructions — take-back schemes, recycling classification
CE marking and applicable regulation references

Tier 2: Economic Operator Access

Accessible to authenticated business entities in the supply chain — recyclers, second-hand dealers, professional repairers, raw material recovery facilities. This tier often includes commercially sensitive data that is necessary for circular economy operations but should not be publicly disclosed:

Detailed material composition — precise weight percentages and sub-component breakdown
Substance concentrations — specific SVHC concentrations, not just presence/absence flags
Disassembly instructions — step-by-step with component specifications
Hazardous component precise locations — for safe handling at end-of-life
Proprietary supplier information in aggregated form

Tier 3: Market Surveillance Authority Access

Accessible only to EU market surveillance authorities via secure, authenticated channels. Contains the complete compliance record:

Full Declaration of Conformity and supporting technical documentation
Third-party audit reports and notified body certificates
Complete test reports including failed tests during development
Supply chain documentation — full supplier list with traceability records
DPP version history — complete audit trail of all changes and when they were made
All economic operator information in the supply chain

Configuring these tiers requires a DPP platform with role-based access control at the field level, not just at the document level. Each data field needs an access classification, and the API must enforce that classification for every request. This is one of the primary technical reasons why building DPP infrastructure on general-purpose CMS or document management systems is not viable for compliant implementations.

DPP Registry Requirements

The EU DPP Registry is a central component of the ESPR enforcement architecture. Before a product can be placed on the EU market, its unique identifier must be registered in this registry. The Commission is developing the registry as a federated system — individual operators and member states can run compliant registries that interoperate with the central EU system — but the registration obligation itself is non-negotiable.

Registration requirements include:

Unique Product Identifier in compliant format (GS1 Digital Link or approved equivalent)
Manufacturer or responsible economic operator identification
Product category classification (delegated act reference)
DPP data endpoint URL — the live API endpoint where the DPP data can be retrieved
Registration date and intended market placement date
Relevant product category codes (CN code for customs, TARIC for imports)

The registry serves two enforcement functions. First, it allows customs and border control to verify that imported products claiming DPP compliance have an active, registered identifier before they clear into the EU market. Second, it allows market surveillance authorities to initiate DPP audits by resolving identifiers found on products in the market to their complete data records.

Operators should register identifiers before products are manufactured in their final configuration, not at the point of shipment. The registration timeline needs to be integrated into product development and launch processes, not treated as a last-minute compliance step.

Data Quality and Verification Requirements

Populating a DPP with data is the starting point. Maintaining that data at the level of accuracy the regulation requires is the ongoing challenge. ESPR sets data quality expectations that are more demanding than most companies' current supplier data collection processes.

Data Quality Standards

Accuracy — data must reflect actual product characteristics, not design specifications that differ from production reality
Currency — data must be updated when underlying product characteristics change; stale data is non-compliant data
Completeness — all mandatory fields must be populated; partial DPPs are not compliant DPPs
Traceability — the source of each data point must be documentable; for third-party verified data, the verifier and verification date must be recorded
Consistency — data in the DPP must be consistent with the Declaration of Conformity, product labelling, and any other market access documentation

Verification Requirements by Data Type

Not all DPP data carries the same verification burden. The regulation creates a tiered system where high-environmental-impact data requires independent verification:

Self-declaration acceptable — product identity, manufacturer information, basic performance claims where standardised test methods apply, repair information
Test report required — energy efficiency class, durability ratings, recyclability claims where specific testing methodology is defined in the delegated act
Third-party verification required — carbon footprint claims (for categories where this is specified), SVHC substance concentrations, recycled content claims above defined thresholds
Notified body certification required — for product categories falling within existing conformity assessment frameworks (medical devices, PPE, etc.) where DPP data intersects with safety certification

Update Obligations in Practice

Three scenarios trigger mandatory DPP updates under ESPR:

Material or component change — any substitution that alters material composition, substance content, recycled content percentage, or carbon footprint requires an updated DPP before the modified product is placed on the market
Regulatory list changes — when a substance is newly listed under REACH SVHC or a restricted substance list, existing DPPs for products containing that substance must be updated within the timeframe specified in the relevant regulatory action
Spare parts or service availability changes — if spare parts listed in the DPP become unavailable, or if authorised repair centres close, the DPP must be updated to reflect current availability

Manufacturer Compliance Checklist: Step-by-Step

The checklist below follows the implementation sequence that compliance teams and operations managers should work through when preparing for DPP obligations. For a detailed process walkthrough, the guide on how to create a DPP covers each phase in depth.

Phase 1: Scope and Timeline Assessment

Identify which of your product categories fall under active or imminent delegated acts
Map compliance deadlines — battery DPP required from February 2027; textiles and electronics following as delegated acts publish
Determine identifier granularity required — unit-level, batch-level, or model-level
Assess whether you are acting as manufacturer, importer, or both in the EU supply chain
Identify supplier relationships that will need to provide DPP input data

Phase 2: Data Architecture and Gap Analysis

Map all mandatory data fields from the applicable delegated act against current data availability
Identify data gaps — fields required in the DPP that are not currently collected or verified
Assess third-party verification requirements — which data fields need external verification and who will provide it
Evaluate supply chain data readiness — do your tier-1 and tier-2 suppliers have the data you need?
Map which data fields are commercially sensitive and must be restricted to tier-2 or tier-3 access

Phase 3: Technical Infrastructure Selection

Decide between in-house DPP infrastructure build or purpose-built platform — compare options in the DPP software comparison
Select data carrier type and integrate into product manufacturing and packaging process
Establish GS1 company prefix for Digital Link identifiers or equivalent identifier scheme
Configure access control tiers in your DPP platform
Set up API endpoint and verify compliance with ESPR technical specifications
Establish EU-compliant data hosting or confirm your platform provider's hosting compliance

Phase 4: Data Collection and Validation

Implement supplier data collection processes — questionnaires, data portals, or EDI integration
Conduct SVHC substance screening across product materials
Commission required third-party verifications — carbon footprint, recycled content, performance claims
Validate data consistency between DPP fields, Declaration of Conformity, and product labelling
Establish REACH substance list monitoring to flag required DPP updates when lists change

Phase 5: Registry Registration and Market Launch

Register unique identifiers in the EU DPP Registry before product placement
Verify data carrier legibility and scanning performance on physical product
Conduct end-to-end DPP resolution test — scan carrier, verify correct data endpoint, verify access control
Provide DPP access credentials to importers and distributors
Establish internal process for DPP data updates triggered by product or regulatory changes
Document data retention procedures for the 10-year post-placement period

Common Compliance Gaps and How to Address Them

Companies that have started DPP implementation pilots consistently encounter the same set of gaps between their initial compliance assumptions and the actual regulatory requirements. Understanding these in advance saves significant remediation cost.

Gap 1: Supplier Data Readiness

The most common gap. Companies discover during DPP implementation that their material composition data comes from product specifications, not from verified supply chain data. Specifications and actuals diverge — especially for recycled content claims and SVHC screening. The fix requires supplier engagement programmes with contractual data obligations, not just DPP software deployment.

Gap 2: Data Carrier Durability

Choosing a QR code printed on adhesive label stock for a product with a 15-year rated lifetime. The data carrier must survive conditions the product encounters during its useful life. Products exposed to UV, moisture, abrasion, or extreme temperature need embedded or durable-substrate carriers — not afterthought label stickers. Carrier selection needs to happen in product design, not compliance review.

Gap 3: Static DPP Architecture

Building a DPP as a PDF or static web page rather than a structured, API-accessible data record. Market surveillance authorities need machine-readable data they can interrogate systematically across thousands of products — not documents that require human reading. The regulation specifies API accessibility as a technical requirement, and inspectors will test it.

Gap 4: Access Control Misconfiguration

Implementing single-tier public access and treating the DPP as equivalent to a consumer-facing product information page. This exposes commercially sensitive substance concentration data or detailed disassembly information to competitors. Equally, misconfiguring access so that recyclers cannot reach material composition data they need defeats the circular economy purpose of the regulation. Both errors create compliance risk.

Gap 5: No Update Process

Treating DPP creation as a one-time project rather than an ongoing operational process. Regulatory substance lists update twice yearly. Material suppliers change. Spare parts become unavailable. Without a defined internal process — and system support for triggered updates — DPPs drift out of compliance within months of initial publication. The ESPR regulation is explicit that maintaining current, accurate DPP data is an ongoing legal obligation, not an initial compliance exercise.

Gap 6: Importer Verification Failures

EU importers of non-EU products assuming the manufacturer's DPP is compliant without verification. A DPP created to satisfy a non-EU jurisdiction's requirements (or a voluntary standard) may fail on technical format, access control, registry registration, or data field completeness against the specific delegated act's requirements. Importers need a pre-placement DPP verification checklist for every product category under active delegated acts.

Interoperability Standards: Why They Matter

The EU's DPP architecture is explicitly designed to avoid data silos. A DPP created by a German manufacturer needs to be readable by a recycler in Portugal, auditable by a French market surveillance authority, and accessible to a Polish logistics platform. Achieving this requires adherence to interoperability standards that are not optional add-ons to DPP compliance — they are part of it.

The key interoperability frameworks shaping DPP implementation:

EPCIS 2.0 (ISO/IEC 19987) — the standard for sharing supply chain event data across organisations and systems. Enables end-to-end product traceability from manufacturing through distribution to end-of-life, with standardised event types and data structures that any EPCIS-compliant system can parse.
W3C Verifiable Credentials — provides cryptographic tamper-evidence for DPP data. A verifiable credential cannot be altered without detection, making it suitable for high-stakes data like carbon footprint claims and substance declarations that regulators or procurement systems need to rely on without direct supplier contact.
GAIA-X / EU Data Spaces — the EU's federated data infrastructure initiative. As the Product Data Space matures (expected 2025-2027), DPP systems will need to expose data in Data Spaces-compatible formats to enable cross-company data sharing without centralisation.
JSON-LD and RDF — the semantic data formats enabling machine interpretation of DPP data across different domain models. A recycling facility's data model for "material composition" may differ from a manufacturer's ERP field definition — JSON-LD provides the semantic layer that allows these to be mapped without manual translation.

The GS1 Digital Link standard sits beneath all of this as the physical-to-digital bridge. Its adoption as the recommended data carrier encoding standard under ESPR is not accidental — GS1 Digital Link is already used in retail supply chains globally, meaning many product categories will be able to extend existing barcode infrastructure rather than replacing it entirely.

Choosing a DPP software platform that has built these interoperability standards into its architecture — rather than treating them as future roadmap items — is one of the most consequential technical decisions in a DPP implementation programme.

Product-Category Specific Requirements: Textiles

The textile product passport requirements illustrate how the core ESPR framework acquires product-specific depth through delegated acts. For textile companies preparing ahead of the expected 2025-2026 delegated act, the additional data requirements being developed include:

Fibre composition by percentage — primary fibre, secondary fibres, and blends — with country-of-origin declarations for natural fibres
Presence and concentration of restricted substances under REACH and EU chemical legislation
Recyclability classification — whether the garment can be mechanically or chemically recycled, and the specific sorting instructions
Durability claims and the test methodology used
Care instructions in machine-readable format (not just printed labels)
Extended Producer Responsibility (EPR) registration information for the relevant member states
Second-hand resale information — repair potential rating

The scope of the textile DPP means that brands will need data from dyehouse, finisher, and fabric mill suppliers — typically three to four tiers up the supply chain — that they have never systematically collected before. Starting supplier engagement programmes now, before the delegated act is finalised, puts brands significantly ahead of the compliance curve.

Selecting a DPP Platform: What to Look For

For manufacturers evaluating DPP implementation options, the decision between building in-house and deploying a purpose-built platform is primarily a question of timeline and technical risk. Building compliant DPP infrastructure requires API architecture, role-based access control, EU-compliant data hosting, GS1 Digital Link integration, and EU DPP Registry connectivity — a minimum 12-18 month engineering project for a capable team starting from scratch.

Purpose-built platforms compress this to weeks of configuration rather than months of development, with the added benefit of maintaining regulatory compliance as technical standards evolve. The key evaluation criteria for any DPP platform:

Does it support all three access control tiers at field level?
Does it generate GS1 Digital Link-compliant identifiers natively?
Is the data hosted within EU jurisdiction or adequacy-decision countries?
Does it support the EU DPP Registry registration process?
Can it handle dynamic data updates — including battery state-of-health for applicable products?
Does it expose data via open, standardised APIs (REST/JSON-LD)?
Is it built on interoperability standards (EPCIS 2.0, W3C Verifiable Credentials)?
What is the data retention commitment — and what happens to data if the platform ceases operations?

Explore the DPP generation features and DPP plans to understand how DPP-Tool addresses each of these requirements for manufacturers across product categories.

Frequently Asked Questions: DPP Requirements

What are the requirements for a digital product passport?: A compliant DPP under ESPR must satisfy eight requirements: a unique product identifier registered in the EU DPP Registry; a physical data carrier meeting applicable ISO/IEC standards; all mandatory data fields specified in the relevant delegated act; three-tier access control; machine-readable data via standardised APIs; EU-compliant data hosting; clear operator obligation assignment; and active data maintenance processes. Each requirement applies continuously — not just at the point of market launch.
What data must a DPP contain?: DPP data requirements span five layers: product identity (unique identifier, manufacturer details, Declaration of Conformity); material composition (materials by weight percentage, REACH SVHCs, recycled content); performance and sustainability (carbon footprint, durability, energy efficiency, repairability score); repair and end-of-life (spare parts, disassembly instructions, recycling guidance); and compliance documentation (CE marking, third-party certificates). The exact mandatory fields are defined per product category in each delegated act — and may be expanded as the regulation matures.
Who is responsible for creating a digital product passport?: The manufacturer bears primary responsibility when they are EU-established or when they place the product on the EU market directly. If the manufacturer is outside the EU and has not created a compliant DPP, the EU importer assumes full manufacturer obligations — including creation, registry registration, and ongoing maintenance. Distributors have verification and preservation obligations but do not create DPPs. The chain of responsibility must be documented and traceable.
What are the technical standards for a DPP?: Three areas carry technical standards. Data carriers must comply with ISO/IEC 18004 (QR), ISO/IEC 18000-63 (RFID), or ISO/IEC 14443/15693 (NFC) — with GS1 Digital Link as the recommended encoding scheme. Data formats should use JSON-LD for structured data, EPCIS 2.0 for supply chain events, and W3C Verifiable Credentials for tamper-evident records. API access must be via open REST interfaces with data hosted in EU-jurisdiction or adequacy-decision countries for the product's full useful life.
Is a digital product passport mandatory?: Yes, for product categories covered by ESPR delegated acts, from the compliance date specified in each act. The first statutory deadline is February 18, 2027, for batteries under EU Regulation 2023/1542. Textiles and electronics delegated acts are expected in 2025-2026 with mandatory compliance 18-36 months later. After the applicable date, products cannot legally enter the EU market without a compliant DPP — regardless of company size.
How long must a DPP remain accessible?: A DPP must remain accessible throughout the product's entire useful life and for a defined post-end-of-life period set in each delegated act — for batteries, a minimum of 10 years beyond end-of-life is the working expectation. Operators must plan for data continuity even if they change platforms or cease trading. This is a multi-decade obligation that must be built into DPP infrastructure from the start, not treated as a post-sales afterthought.
Do DPP requirements apply to non-EU manufacturers?: Yes. ESPR applies to all products placed on the EU market regardless of manufacturing origin. EU importers of non-EU products bear full DPP compliance responsibility if the manufacturer has not created a conformant passport. Importers should contractually require DPP compliance from non-EU suppliers and conduct pre-placement DPP verification. Non-compliant products face market prohibition at customs and market surveillance enforcement within the EU.
What happens if a DPP is not compliant?: Non-compliant products cannot legally be placed on the EU market. Market surveillance authorities can require product withdrawal, recall, and market prohibition. Member states set proportionate penalties under national enforcement frameworks, and systematic non-compliance is expected to attract significant fines. Customs authorities will use the EU DPP Registry to verify compliance at import — making registry registration a hard gate, not a post-clearance formality.